1188840 - Keep image and video data outside the player sandbox during loading

Status: RESOLVED INCOMPLETE

(Firefox Graveyard :: Shumway, defect)

Description

[Till Schneidereit [:till]]

We currently pass all loaded bytes into the player sandbox where the FileLoader parses the file header (for Loader#load operations, at least) and decides what kind of symbol to create. For streams, the bytes are appended to a buffer and then processed. For images, we wait until the file has been fully downloaded and then transfer the buffer to the GFX sandbox where an Image instance is created.

Currently, this is fine because we only allow loading from hosts that provide a crossdomain.xml file allowing the loading SWF data access, in which case reading the bytes doesn't leak any information the SWF couldn't have read anyway.

We want to be able to load images and videos from hosts without crossdomain.xml files though. For those, the player mustn't ever be able to read the underlying bytes. We don't however trust our sandboxing of content code, so have to assume that all data we pass into the player sandbox is compromised. That means we have to stop passing in the bytes in the first place. Instead, we should pass them into the GFX sandbox (where we have to have them in order to render). The player should only be informed about loading progress and completion.

Note that for this to make sense we also have to prevent BitmapData readbacks from cross-domain-loaded images we don't have a crossdomain.xml file for, and BitmapData#draw of trees that contain such images.